Privacy Policy

1. Introduction

Vydapy Ltd, trading as Vydapay ("we", "us", "our", or "Vydapay"), is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our corporate card management platform, website, mobile applications, and related services (collectively, the "Services").

We are registered in England and Wales under company number 14892156, with our registered office at 100 Lots Rd, London, SW10 0QJ, United Kingdom. Vydapay is authorised and regulated by the Financial Conduct Authority (FCA) as an Electronic Money Institution.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Vydapy Ltd is the data controller responsible for your personal data.

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.

2. Information We Collect

We collect information in several ways when you interact with our Services. The types of information we collect include:

2.1 Information You Provide Directly

• Account Registration Information: When you create an account, we collect your company name, contact name, email address, phone number, company size, industry sector, and password.
• Identity Verification Information: To comply with anti-money laundering (AML) and know-your-customer (KYC) regulations, we collect government-issued identification documents, proof of address, date of birth, and in some cases, photographs or video recordings for identity verification purposes.
• Business Information: Details about your business including company registration number, VAT number, registered address, trading address, beneficial ownership information, and director details.
• Financial Information: Bank account details, transaction history, spending patterns, and credit assessment information necessary to provide our card services.
• Communication Data: Records of correspondence when you contact our customer support, including emails, chat transcripts, and phone call recordings.
• Survey and Feedback Data: Information you provide in response to surveys, feedback forms, or research participation.

2.2 Information Collected Automatically

• Transaction Data: Details of every transaction made using Vydapay cards, including merchant information, transaction amounts, dates, times, locations, and payment methods.
• Device Information: Hardware model, operating system version, unique device identifiers, mobile network information, and browser type.
• Log Data: IP addresses, access times, pages viewed, links clicked, and actions taken within our Services.
• Location Data: With your consent, we may collect precise location data from your mobile device to provide location-based features and fraud prevention.
• Cookie Data: Information collected through cookies, pixel tags, and similar technologies as described in our Cookie Policy.

2.3 Information from Third Parties

• Credit Reference Agencies: Credit history and financial standing information from credit bureaus such as Experian, Equifax, and TransUnion.
• Identity Verification Services: Verification results from third-party identity providers like Onfido and Jumio.
• Fraud Prevention Services: Risk scores and fraud indicators from fraud detection services.
• Companies House: Public company registration and director information.
• Banking Partners: Transaction confirmations and account status updates from our banking and card network partners.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Providing and Improving Our Services

• Creating and managing your Vydapay account and cards
• Processing transactions and managing your spending limits
• Providing customer support and responding to inquiries
• Personalising your experience and providing tailored recommendations
• Developing new features, products, and services
• Analysing usage patterns to improve our platform

3.2 Security and Compliance

• Verifying your identity and preventing fraud
• Monitoring for suspicious or potentially illegal activity
• Complying with legal obligations, including AML, KYC, and tax reporting requirements
• Responding to law enforcement requests and legal processes
• Enforcing our terms and conditions

3.3 Communication

• Sending transaction notifications and account alerts
• Providing important service updates and security notices
• Delivering marketing communications (where you have opted in)
• Conducting customer satisfaction surveys

4. Legal Basis for Processing

Under UK GDPR, we must have a lawful basis for processing your personal data. The legal bases we rely on include:

• Contract: Processing necessary to perform our contract with you to provide the Services.
• Legal Obligation: Processing required to comply with laws and regulations, including financial services regulations, AML requirements, and tax obligations.
• Legitimate Interests: Processing necessary for our legitimate business interests, such as fraud prevention, service improvement, and direct marketing to existing customers, where these interests are not overridden by your rights.
• Consent: Where you have given explicit consent, such as for marketing communications or optional data sharing. You may withdraw consent at any time.

5. Information Sharing and Disclosure

We may share your information with the following categories of recipients:

5.1 Service Providers

We work with trusted third-party service providers who assist us in operating our business, including:

• Card network providers (Mastercard)
• Banking partners and payment processors
• Cloud hosting and infrastructure providers
• Customer support platforms
• Analytics and monitoring services
• Marketing and communication platforms

5.2 Regulatory and Legal Disclosures

We may disclose your information when required by law or to:

• Comply with legal process, court orders, or government requests
• Report to financial regulators including the FCA and HMRC
• Prevent fraud, money laundering, or other illegal activities
• Protect the rights, property, or safety of Vydapay, our users, or others

5.3 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or control of your personal data.

6. International Data Transfers

Your information may be transferred to and processed in countries outside the United Kingdom and European Economic Area. When we transfer data internationally, we ensure appropriate safeguards are in place, including:

• Transfers to countries with an adequacy decision from the UK or EU
• Standard Contractual Clauses approved by the UK ICO or European Commission
• Binding Corporate Rules for transfers within corporate groups
• Other legally recognised transfer mechanisms

You may request a copy of the safeguards we use by contacting our Data Protection Officer.

7. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including:

• Active accounts: For the duration of your account relationship plus any required retention period
• Transaction records: Seven years after the transaction date, as required by financial regulations
• KYC/AML records: Five years after the business relationship ends
• Marketing preferences: Until you withdraw consent or update preferences
• Legal claims: As long as relevant for potential legal proceedings

When data is no longer required, we securely delete or anonymise it in accordance with our data destruction policies.

8. Data Security

We implement comprehensive security measures to protect your personal data, including:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Multi-factor authentication for account access
• Regular security assessments and penetration testing
• Access controls and role-based permissions
• 24/7 security monitoring and intrusion detection
• Employee security training and background checks
• SOC 2 Type II certification and PCI DSS compliance

While we take all reasonable precautions, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security of your data.

9. Your Rights

Under UK data protection law, you have the following rights:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your data in certain circumstances
• Right to Restriction: Request limitation of processing in certain circumstances
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Rights Related to Automated Decisions: Request human review of significant automated decisions

To exercise these rights, please contact our Data Protection Officer. We will respond within one month, or inform you if an extension is needed. Some rights may be limited where we have overriding legitimate interests or legal obligations.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10. Cookies and Tracking

We use cookies and similar technologies to enhance your experience, analyse usage, and assist in our marketing efforts. For detailed information about our use of cookies, including how to manage your preferences, please see our Cookie Policy.

11. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify you of material changes by:

• Posting the updated policy on our website with a new "Last Updated" date
• Sending an email notification to registered users
• Displaying a prominent notice within our Services

We encourage you to review this policy periodically. Your continued use of our Services after changes become effective constitutes acceptance of the revised policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Data Protection Officer
Vydapy Ltd
100 Lots Rd
London, SW10 0QJ
United Kingdom

Email: privacy@vydapay.com
Phone: +44 151 263 0173

We aim to respond to all legitimate requests within one month.